Crypto-Ransomware : Your Feared IT Nightmare
Ransomware has become an escalating cyberplague that represents an enterprise-level danger for businesses unprepared for an attack. Different iterations of ransomware like the CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been running rampant for a long time and continue to cause damage. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit and Nephilim, along with additional unnamed viruses, not only do encryption of on-line information but also infect any configured system backups. Data replicated to cloud environments can also be rendered useless. In a poorly designed environment, it can make automated recovery impossible and effectively sets the network back to square one.
Recovering services and information after a ransomware attack becomes a sprint against time as the victim tries its best to stop lateral movement and cleanup the ransomware and to resume enterprise-critical activity. Since ransomware requires time to move laterally, penetrations are frequently launched on weekends and holidays, when successful attacks typically take longer to discover. This compounds the difficulty of quickly marshalling and orchestrating a qualified response team.
Progent makes available an assortment of solutions for protecting Pasadena enterprises from ransomware events. These include team member education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security gateways with artificial intelligence capabilities to automatically discover and extinguish day-zero cyber attacks. Progent also can provide the services of expert ransomware recovery engineers with the track record and perseverance to rebuild a compromised environment as soon as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will return the needed codes to unencrypt any of your data. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimated to be around $13,000 for small businesses. The alternative is to re-install the critical parts of your IT environment. Without access to full information backups, this calls for a wide complement of skills, top notch project management, and the ability to work 24x7 until the recovery project is finished.
For two decades, Progent has provided professional Information Technology services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with financial systems and ERP application software. This breadth of expertise affords Progent the capability to rapidly understand important systems and integrate the surviving components of your network system following a crypto-ransomware event and configure them into a functioning system.
Progent's recovery team of experts deploys top notch project management systems to coordinate the sophisticated recovery process. Progent knows the urgency of working rapidly and in concert with a client's management and IT team members to prioritize tasks and to put key systems back on line as soon as humanly possible.
Customer Case Study: A Successful Ransomware Intrusion Restoration
A client escalated to Progent after their network system was attacked by the Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state cybercriminals, possibly using techniques exposed from Americaís National Security Agency. Ryuk attacks specific organizations with little or no tolerance for disruption and is among the most lucrative examples of ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturer based in the Chicago metro area and has around 500 workers. The Ryuk attack had shut down all business operations and manufacturing capabilities. Most of the client's information backups had been online at the beginning of the attack and were destroyed. The client considered paying the ransom demand (in excess of $200,000) and hoping for good luck, but ultimately called Progent.
"I canít speak enough about the help Progent provided us during the most critical period of (our) businesses survival. We most likely would have paid the Hackers if not for the confidence the Progent group afforded us. That you were able to get our messaging and key servers back online faster than five days was something I thought impossible. Each person I spoke to or e-mailed at Progent was amazingly focused on getting us back online and was working breakneck pace to bail us out."
Progent worked with the customer to quickly identify and assign priority to the mission critical systems that needed to be addressed in order to resume business operations:
To start, Progent adhered to AV/Malware Processes penetration response industry best practices by halting lateral movement and removing active viruses. Progent then started the task of recovering Windows Active Directory, the core of enterprise networks built upon Microsoft Windows Server technology. Exchange messaging will not function without Active Directory, and the customerís accounting and MRP software used Microsoft SQL Server, which depends on Active Directory services for security authorization to the information.
- Microsoft Active Directory
- Microsoft Exchange Server
- Accounting and Manufacturing Software
Within 2 days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then accomplished reinstallations and storage recovery on critical applications. All Exchange schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to collect non-encrypted OST files (Outlook Email Offline Data Files) on user workstations to recover mail messages. A recent offline backup of the businesses accounting/MRP systems made it possible to recover these vital programs back on-line. Although a lot of work was left to recover fully from the Ryuk attack, critical services were recovered quickly:
"For the most part, the production operation showed little impact and we produced all customer orders."
During the next month critical milestones in the recovery process were achieved in close cooperation between Progent engineers and the client:
- Self-hosted web sites were restored with no loss of data.
- The MailStore Exchange Server with over four million archived emails was brought online and accessible to users.
- CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control modules were completely recovered.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- 90% of the user desktops and notebooks were being used by staff.
"A lot of what transpired in the early hours is nearly entirely a blur for me, but I will not soon forget the care each and every one of your team put in to give us our business back. I have been working with Progent for the past 10 years, possibly more, and each time Progent has shined and delivered. This situation was a stunning achievement."
A likely business extinction catastrophe was dodged due to results-oriented professionals, a broad array of knowledge, and tight teamwork. Although in hindsight the crypto-ransomware virus penetration described here could have been disabled with advanced cyber security systems and ISO/IEC 27001 best practices, staff training, and well thought out security procedures for backup and proper patching controls, the reality is that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's team of experts has extensive experience in ransomware virus blocking, remediation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for letting me get some sleep after we got through the initial fire. Everyone did an amazing job, and if anyone is around the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist